AZL-42395 CVE-2024-24790 affecting package golang for versions less than 1.22.3-1

The various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms...

AZL-40436 CVE-2024-24788 affecting package msft-golang for versions less than 1.22.3

A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop...

AZL-39851 CVE-2024-22189 affecting package coredns for versions less than 1.11.1-6

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of NEWCONNECTIONID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a...

AZL-37457 CVE-2024-24785 affecting package golang for versions less than 1.21.6-1

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates...

AZL-35422 CVE-2023-50658 affecting package telegraf for versions less than 1.29.4-1

The jose2go component before 1.6.0 for Go allows attackers to cause a denial of service CPU consumption via a large p2c aka PBES2 Count value...

DEBIAN-CVE-2023-50658

The jose2go component before 1.6.0 for Go allows attackers to cause a denial of service CPU consumption via a large p2c aka PBES2 Count value...

UBUNTU-CVE-2023-50658

The jose2go component before 1.6.0 for Go allows attackers to cause a denial of service CPU consumption via a large p2c aka PBES2 Count value...

Design/Logic Flaw

stereoscope is a go library for processing container images and simulating a squash filesystem. Prior to version 0.0.1, it is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary director...

CVE-2024-24579

The set of documents identifies a path-traversal vulnerability in the Go library stereoscope (containers/image processing). Specifically, the CVE-2024-24579 entry describes a flaw prior to v0.0.1 where crafting an OCI tar archive can cause writes to paths outside the unarchive temporary directory...

CVE-2023-49568

A denial of service DoS vulnerability was found in the go library go-git. This issue may allow an attacker to perform denial of service attacks by providing specially crafted responses from a Git server, which can trigger resource exhaustion in go-git clients. Mitigation In cases where a bump to...

git-urls Security Vulnerabilities

git-urls is a Go library from Will Maier's personal developer. It is used to parse Git URLs. A security vulnerability exists in git-urls version 1.0.1. An attacker could exploit this vulnerability to conduct a regular expression denial of service attack...

AZL-37425 CVE-2023-45284 affecting package golang for versions less than 1.21.6-1

On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports the...

CVE-2023-46129

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server...

CVE-2023-46129 xkeys Seal encryption used fixed key for all encryption

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server...

CVE-2023-46129

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server...

Design/Logic Flaw

The package github.com/gomarkdown/markdown is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion 0.0.0-20230922105210-14b16010c2ee, which corresponds with commit 14b16010c2ee7ff33a940a541d993bd043a88940, parsing malformed markdown input with parser that uses...

USN-6287-1 golang-yaml.v2 vulnerabilities

Simon Ferquel discovered that the Go yaml package incorrectly handled certain YAML documents. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause the system to crash, resulting in a denial of service...

AZL-52773 CVE-2023-39533 affecting package golang for versions less than 1.19.12-1

go-libp2p is the Go implementation of the libp2p Networking Stack. Prior to versions 0.27.8, 0.28.2, and 0.29.1 malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in th...

AZL-37359 CVE-2023-39533 affecting package golang for versions less than 1.21.6-1

go-libp2p is the Go implementation of the libp2p Networking Stack. Prior to versions 0.27.8, 0.28.2, and 0.29.1 malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in th...

Code injection

notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Use...